All posts by cryptosmith

Writer, educator, and consultant in cybersecurity; author of three books.

The practical digital library updated

Library bookcaseA few years ago I moved my private library to the cloud. It uses Calibre to catalog my books, and the Open Publication Distribution System (OPDS) to provide an Internet-capable catalog. OPDS is built in to a lot of publisher-independent e-reader software. My e-readers can generally retrieve books from Internet hosts that provide OPDS.

My latest library uses COPS to construct the OPDS catalog from my Calibre database (book list). I update my library by keeping a copy of my Calibre database and directory of book files on a web server.

Continue reading The practical digital library updated

Ross Anderson and another edition of Security Engineering

Security Engineering, by Ross AndersonEvery cybersecurity professional knows – and almost certainly owns – this book. Ross Anderson published the first edition back around 2001. He’s starting a third edition and is using an on-line collaborative model for developing revisions. He has already posted drafts of a few revised chapters.

Ross recently pointed out a disappointing result from Edward Snowden’s releases of NSA classified documents: most published analysis has been reportage. No one has done a “deep dive” into the technical aspets of what was released. This would probably still be of technical interest. It astonishes me every day how, despite perceived ongoing radical improvements in technology, things don’t really change that much.

A Forged “From” Address

Email with a forged FROM addressTo the left we see part of a malicious email. The author brags about how the From address is the same as the To address. This is supposed to mean that the author has broken into my email account.

I have been waiting patiently for someone to mail one of these to me. Now I can use it as an example. I’ll show you how to uncover it as a fraud.

Continue reading A Forged “From” Address

This photo should not exist

pin.it/fnnc4j6fjamugy

Once we get past the creep factor of Nazi army uniforms, we see a communications team sending a secret message. They are using the legendary Enigma machine to encrypt the message.

But why, why did that officer allow a photographer to record this highly sensitive activity?

A failure of operational security (OPSEC). Allies in Bletchley Park would have sacrificed lives for this photo, or any photo showing the device in operation.

Continue reading This photo should not exist

Invoice Phishing Campaign

Phishing email

Here is a phishing email I received today. These almost always land in my junk mail (hooray!).

This particular one encourages me to click on a Microsoft Word file claiming to contain an invoice I should pay. I also received a couple with “.xps” attachments. These apparently make use of printer paper specification files in MS Windows.

According to an article in Threatpost, these may be part of a phishing campaign that uses an unpatched flaw in MS Windows.

Continue reading Invoice Phishing Campaign

Sen. John McCain, 1936-2018

In June, 1999, Senator John McCain had started his presidential bid and was visiting companies in Silicon Valley, including Secure Computing Corporation, where I worked. He was there to discuss government policies on several tech topics, including the export of cryptographic technologies and products. I had been writing policy statements about crypto exports as part of my job. I’d also published my first book, Internet Cryptographyso they flew me out from Minnesota to meet the Senator.

Continue reading Sen. John McCain, 1936-2018